VPN Annoyances

I had bigger problems with the VPN features, however. Actually, "annoyances" is probably a better description than "problems", but you can be the judge. Most of the problems annoyances centered on Linksys' QuickVPN application. QuickVPN is a free IPsec client that is downloadable from Linksys to be used with the RVS4000, RVL200 and other Linksys IPsec-enabled routers. All you need to enter on the RVS4000 is a username and password; no IPsec settings are required. You just then install QuickVPN on a Windows machine, launch it, enter the username and password and click to connect.

QuickVPN is a "blackbox" application that uses wget and openssl to set up an IPsec client-to-gateway connection. From looking at the text files that are created in the QuickVPN directory (the only debugging aids available), it looks like wget is first used to open an HTTPs connection to the RVS4000 to exchange IPsec setup information. Then openssl is used to set up the IPsec tunnel.

I had some false starts due to old versions of router firmware and QuickVPN and the fact that I had tried to enter IPsec tunnel information into the 4000 (old habits die hard, I guess). I also found that enabling DMZ appears to prevent any QuickVPN client connections.

But after resetting the router to factory defaults, reinstalling QuickVPN on my client and correctly answering a confusing popup during login, the QuickVPN client told me that I was connected. But every minute or so, it would pop up a "The remote gateway is not responding" box that led me to believe that something was broken.

So I first checked the IPsec VPN Setting Status section of the 4000's Setup Summary page, which told me that no tunnels were used. Hmmm. I then turned to the VPN Summary page that also looked like no tunnels were up. It wasn't until I looked closely at the VPN Clients Status section of that page where I finally found a connection with my name on it.

Figure 5: Can you find the VPN connection?

It seems that the 4000 treats gateway-to-gateway and client-to-gateway connections very differently—at least from a status point of view. The 4000 actually supports a total of 10 IPsec tunnels: 5 gateway-to-gateway and 5 client-to-gateway. A fact, again, not obvious from looking at the status screens, or even any of the marketing material!

The other thing notable about using QuickVPN is that it does not provide you with documentation of the IPsec configuration that it is using. And don't bother checking the IPsec VPN page on the 4000, because its settings to support QuickVPN clients aren't visible. For the record, however, Linksys said the QVPN Client makes the following proposals to the RVS4000 in the Phase-1 IKE:

1. 3DES, SHA1, DH2, PSK, SA Lifetime = 28800 sec
2. 3DES, MD5, DH2, PSK, SA Lifetime = 28800 sec
3. DES, MD5, DH1, PSK, SA Lifetime = 28800 sec

Finally, clicking the Disconnect button on the 4000 for the IPsec connection did not appear to kill the connection. At least the QuickVPN client showed no sign of being disconnected. Other than that, using QuickVPN was a breeze...really!

I should also note that you may have a difficulty debugging problem IPsec connections. As noted earlier, new log entries get added to the bottom of the logfile, so you have to scroll a lot. I didn't find the log entries particularly helpful and with Firefox I couldn't get the log pop-up screens to go behind the main window (IE was again, ok).

Tags: IPsec, Linksys, Router reviews, VPN,

Related Articles: